WoodSmellParticle/ansible-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore!: separated galaxy deps and own collections; modified ansible script generation to use two paths for collections

Browse source 
REQUIRES REGENERATING ansible.cfg!
This commit is contained in:
NaeiKinDus 2025-02-23 00:00:00 +00:00
parent 4af69c31ce
commit 888590ed9f
Signed by: WoodSmellParticle
GPG key ID: 8E52ADFF7CA8AE56
188 changed files with 30 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

97
ansible_collections/nullified/infrastructure/roles/nginx/tasks/main.yml Normal file
View file

@ -0,0 +1,97 @@
---
- name: install requirements
become: true
ansible.builtin.apt:
update_cache: true
force_apt_get: true
cache_valid_time: 3600
pkg:
- ca-certificates
- curl
- debian-archive-keyring
- gnupg2
- lsb-release
- name: install nginx repository
become: true
ansible.builtin.deb822_repository:
allow_downgrade_to_insecure: false
allow_insecure: false
allow_weak: false
components:
- nginx
enabled: true
name: nginx
signed_by: 'https://nginx.org/keys/nginx_signing.key'
state: present
suites: '{{ ansible_facts.distribution_release }}'
trusted: true
uris: 'http://nginx.org/packages/mainline/debian'
- name: pin nginx packages
become: true
ansible.builtin.copy:
content: |-
Package: *
Pin: origin nginx.org
Pin: release o=nginx
Pin-Priority: 900
dest: /etc/apt/preferences.d/55-nginx
mode: '0600'
owner: root
group: root
- name: update cache and install nginx package
become: true
ansible.builtin.apt:
cache_valid_time: 0
force_apt_get: true
update_cache: true
pkg: '{{ nginx_extra_packages | default([]) + ["nginx"] }}'
- ansible.builtin.include_tasks:
file: nginx-config.yml
apply:
tags: [webserver-config]
tags: [webserver-config]
- name: setup firewall rules
become: true
ansible.builtin.template:
src: ../templates/ingress_http_nginx.nft.j2
dest: /etc/nftables.d/ingress_http_nginx.nft
owner: root
group: root
mode: '0600'
notify:
- 'nginx : restart firewall service'
- ansible.builtin.include_tasks:
file: nginx-service-entry.yml
apply:
tags: [webserver-sites]
tags: [webserver-sites]
vars:
nginx_entry_type: site
loop: '{{ nginx_sites }}'
loop_control:
label: '{{ item.name }}'
- ansible.builtin.include_tasks:
file: nginx-service-entry.yml
apply:
tags: [webserver-streams]
tags: [webserver-streams]
vars:
nginx_entry_type: stream
loop: '{{ nginx_streams }}'
loop_control:
label: '{{ item.name }}'
- name: set permissions
become: true
ansible.builtin.file:
path: /etc/nginx
owner: '{{ nginx_service_user }}'
group: '{{ nginx_service_user }}'
mode: 'u=rwX,g=rX,o='
recurse: true

65
ansible_collections/nullified/infrastructure/roles/nginx/tasks/nginx-config.yml Normal file
View file

@ -0,0 +1,65 @@
---
- name: setup configuration directories
become: true
ansible.builtin.file:
path: '/etc/nginx/{{ item }}'
state: directory
owner: '{{ nginx_service_user }}'
group: '{{ nginx_service_group }}'
mode: '0750'
loop:
- conf.d
- ssl
- ssl/certificates
- ssl/keys
- sites-available
- sites-enabled
- streams-available
- streams-enabled
- name: remove default unneeded files
become: true
ansible.builtin.file:
path: '/etc/nginx/conf.d/default.conf'
state: absent
- name: generate dhparams.pem file
become: true
ansible.builtin.command:
cmd: /usr/bin/openssl dhparam -out /etc/nginx/ssl/dhparams.pem 4096
creates: /etc/nginx/ssl/dhparams.pem
notify:
- 'nginx : restart nginx service'
- name: setup nginx.conf
become: true
block:
- name: use default configuration
ansible.builtin.template:
src: ../templates/nginx.conf.j2
dest: /etc/nginx/nginx.conf
owner: '{{ nginx_service_user }}'
group: '{{ nginx_service_group }}'
mode: '0640'
when: nginx_custom_config is falsy
- name: use custom configuration
ansible.builtin.copy:
content: '{{ nginx_custom_config }}'
dest: /etc/nginx/nginx.conf
owner: '{{ nginx_service_user }}'
group: '{{ nginx_service_group }}'
mode: '0640'
when: nginx_custom_config is truthy
notify:
- 'nginx : restart nginx service'
- name: set process limits
become: true
ansible.builtin.template:
src: ../templates/nginx_limits.conf.j2
dest: /etc/security/limits.d/nginx.conf
owner: root
group: root
mode: '0600'
notify:
- 'nginx : restart nginx service'

49
ansible_collections/nullified/infrastructure/roles/nginx/tasks/nginx-service-entry.yml Normal file
View file

@ -0,0 +1,49 @@
---
- name: set facts
ansible.builtin.set_fact:
safe_filename: "{{ item.name | regex_replace('[^\\w]', '') }}"
nginx_entry_type: '{{ nginx_entry_type | default(item.get("entry_type", None)) }}'
- name: perform sanity checks
ansible.builtin.assert:
that:
- nginx_entry_type in ["stream", "site"]
fail_msg: Invalid value for `nginx_entry_type`; expected "stream" or "site", got "{{ nginx_entry_type }}"
- name: 'copy entry in {{ nginx_entry_type }}s-available'
become: true
ansible.builtin.copy:
content: '{{ item.content }}'
dest: "/etc/nginx/{{ nginx_entry_type }}s-available/{{ safe_filename }}.conf"
owner: '{{ nginx_service_user }}'
group: '{{ nginx_service_user }}'
mode: '0640'
when: item.get('state', 'present') == 'present'
notify:
- 'nginx : reload nginx service'
- name: 'enable {{ nginx_entry_type }}'
become: true
ansible.builtin.file:
src: "/etc/nginx/{{ nginx_entry_type }}s-available/{{ safe_filename }}.conf"
path: "/etc/nginx/{{ nginx_entry_type }}s-enabled/{{ safe_filename }}.conf"
owner: '{{ nginx_service_user }}'
group: '{{ nginx_service_user }}'
state: 'link'
when: item.get('state', 'present') == 'present'
notify:
- 'nginx : reload nginx service'
- name: 'disable {{ nginx_entry_type }}'
become: true
ansible.builtin.file:
path: "/etc/nginx/{{ nginx_entry_type }}s-enabled/{{ safe_filename }}.conf"
state: absent
when: item.get('state', 'present') in ['disabled', 'deleted']
- name: 'remove {{ nginx_entry_type }}'
become: true
ansible.builtin.file:
path: "/etc/nginx/{{ nginx_entry_type }}s-available/{{ safe_filename }}.conf"
state: absent
when: item.get('state', 'present') == 'deleted'